I'm trying to create simple login/registration page.
I'm using index.php which includes login.php in it.
I want to report the login errors in a specific position, using an answer to a preious question.
The problem is that if I encounter an error, the url changes to the login.php file and on next login I get error of "Cannot find page".
I want to eventually be able somehow display errors and be able to get another input and handle it.
login.php:
<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="kupon"; // Database name
$tbl_name="users"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$email=$_POST['email'];
$password=$_POST['password'];
// To protect MySQL injection
$email = stripslashes($email);
$password = stripslashes($password);
$email = mysql_real_escape_string($email);
$password = mysql_real_escape_string($password);
$sql="SELECT * FROM $tbl_name WHERE email='$email' and password='$password'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $email and $password, table row must be 1 row
if($count==1){
// Register $email, $password
$_SESSION['email'] = $email;
$_SESSION['password'] = $password;
header("location: members.php");
}
else {
$error = '<p class="error">User does not exist</p>'
include('../index.php');
exit;
}
?>
index.php form:
<form action="php/login.php" method="post" class="form">
<p class="email">
<input type="text" name="email" /> :דואר אלקטרוני</br>
</p>
<p class="password">
<input type="password" name="password" /> :סיסמא</br>
</p>
<p class="submit">
<input type="submit" value="היכנס" />
</p>
</form>
<?php
if(isset($error)) echo $error;
?>
You shouldn't put passwords or other Personal Identification Information into the session. Better to have your login code assign a session ID with an identification that links it to the user in your database. (Like a column filled with unique values called userid)
You need to make sure you are initializing the session in the login.php and any page that you want to have require they be authenticated. This allows you to have the page check the session to confirm that the user is actually logged in.
To resolve the 404 error (Page Not Found), you need to fix this: header("location: members.php");. That needs to be the full path of the file. Since your login.php file is under the directory of php and members.php is not, when you get directed to login.php, this location forward tries to load members.php in the php directory and since it is not there, it gives a 404 error.
You are including the login.php, but the actual page is index.php - so you should post your form to index.php instead.
It looks like you have a problem using relative urls.
You start on index.php, which redirects on form submission to php/login.php.
Next time, you submit to php/php/login.php instead.
If you're in the document root, try using /index.php and /php/login.php instead. I can't be more specific without knowing more about your project's layout however.
Related
I have a website, mostly composed with public links, that is anyone can see them.
But I was thinking in creating some pages that could only be accessed by people who were registered on my website.
I looked around and found out that for that I would need a CMS, so I went to my host's CPanel to get one (DRUPAL) but instead of using what I already had, it simply created a new site.
By searching around people only want to know "how to integrate paypal with a membership site"...
Mine is supposed to be free; people join but don't need to pay for anything (at least for now) but some links can't be displayed to non-members.
I managed to get everything setup but I get an error...:
Warning: mysql_connect(): Access denied for user 'MYDATABASE_NAME'#'XXX.XX.XX.XX' (using password: YES) in /home/USERNAME/public_html/config.php on line 10
cannot connect to server
What's this? I have a few lines of code on the config.php
<?php
$host="www.triplestrata.com"; // Host name - my website
$username="MYDATABASE_USERNAME"; // Mysql username
$password="MYSQLPASSWORD"; // Mysql password
$db_name="MEMBER"; // Database name - I called my database MEMBER without the prefix
//Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect to server");
mysql_select_db("$db_name")or die("cannot select DB");
?>
This is right, Ya?
Use session variables.
With them, you can limit the entry to the page only when the session is occurring.
Make a login page, and then allow session start on all your pages, so the login follows.
Then, on the page you require, just add a clause that determines that only with the session started as a member, can one enter the page. If not, exit to mainpage or something.
Example:
<?php
Session_start();
if (!isset($_SESSION["lojamusica"]))
header("Location:errorlogin.php");
if ($_SESSION["lojamusica"]!="OK")
header("Location:errorlogin.php");
?>
In here, i am only allowing people with the session started, and connected to the database to enter my webpage, just need to pu this on top of the pages.
This is my loggin example, which came from a form on a previous page:
<?php
Session_start();
Session_destroy();
mysql_connect("localhost","root","") or die("problema na conexao");
mysql_select_db("lojamusica");
$query = "SELECT username, password FROM login WHERE username='".$_POST["user"]."'";
$results = mysql_query($query) or die(mysql_error());
$num = mysql_num_rows($results);
if ($num == 0)
echo "Username not found!";
else {
$row = mysql_fetch_array($results);
if ($row["password"] == $_POST["pass"])
{
Session_start();
$_SESSION["username"] = $_POST["user"];
$_SESSION["lojamusica"] = "OK";
header("Location:mainpage.html");
}
else
header("Location:login2.html");
}
?>
This is the login page, simplified:
<form action="login.php" method="POST">
<label>Username:</label>
<input type="text" name="user" />
<label>Password:</label>
<input type="password" name="pass" /><br>
<input type="submit" value="Submit" />
<input type="reset" value="Reset">
>
</h1></form>
To logout, simply reditect to a page like so:
<?php
Session_start();
Session_destroy();
echo "<script language='javascript'> window.top.location.href = 'login2.html'; </script>";
?>
ok, i have a php and mysql script that allows you to log in if you have a username / password
once entered correctly it forwards you to the members page. here i would like it to load the persons full name of who as loged in, like it does on this site top right.
here is the code to the members area
<?php
$host="localhost"; // Host name
$username="stephen2_phptest"; // Mysql username
$password="********"; // Mysql password
$db_name="stephen2_phptest"; // Database name
$tbl_name="registers"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
session_start();
if(!session_is_registered(myusername)){
header("location:index.php");
$myusername=$_POST['myusername'];
}
?>
<html>
<link rel="stylesheet" type="text/css" href="../php/css/styles.css">
<body>
<div class="members-screen">
Login Successful</br>
Welcome [persons name to load here]<?php echo $_POST['myusername'] ?> | Logout
<div class="menu">
<div class="menu-btn">
Home
</div>
<div class="menu-btn">
Search
</div>
<div class="menu-btn">
Messages
</div>
<div class="menu-btn">
Matches
</div>
<div class="menu-btn">
My Account
</div>
</div>
</div>
</body>
</html>`
any ideas?
1) You don't need db connection on members page.
2) Try this on your login.php page(with the changes as per your need i.e: here i used "users" as the name of the table.)
3) Add <?php session_start(); ?> at the top of login.php page and every other page where you need username to be echoed.
4) Here in my example code,$_SESSION['username'] is what you need to be able echo username at the right side of the page. And since you may need to use it on other pages too using $_SESSION variable would be a better idea than using $_POST var.
$sql = "select *,myusername from users where myusername = '$myusername' and mypassword = '$mypassword'";
$result = mysql_query($sql);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
if($row)
{
$_SESSION['username'] = $row['myusername'];
$_SESSION['password'] = $row['mypassword'];
}
and echo $_SESSION['username'] where you need it.
His name will be displayed as long as he has not logged out,and also destroy session on logout.php.
Assign your login information that you plan on outputting to a Session variable array.
I have a MySQL database with a user called admin (and password admin). I am using this to test my configuration. When I click login, nothing happens. Can anyone see if I've done something wrong?
Here is my logon form:
<form action="loginProcess.php" method="POST">
Username: <input type='text' name='username'></br>
<!-- input type password makes the password hidden as it is typed -->
Password: <input type='password' name='password'></br>
<input type='submit' value='Login'/>
</form>
</br>
</br>
<!-- Register New User -->
<form action="register.php" method="POST"> </br>
Not Registered?<input type='submit' value='Click Here To Register'/>
</form>
This form takes you to this loginProcess.php file:
<?php
ob_start();
session_start();
// Include database connection and select database UFPProducts
include "./shopdb/connection.php";
?>
<?php
//
// (2) Collect data from form and save in variables
// real escape string to protect from SQLi attacks
$username=mysql_real_escape_string(htmlentities($_POST['username']));
$password=mysql_real_escape_string(htmlentities($_POST['password']));
// (3) Create query of the form below to search the user table
// "SELECT * FROM Users WHERE UserName='$username' AND Password='$password'"
$query = "SELECT * FROM USERS where Username='$username' AND Password='$password'";
$result = mysql_query($query) or die (mysql_error());
// (3) Run query through connection
// (4) Check result of query using code below
// if rows found set authenticated user to the user name entered
if (mysql_num_rows($result) > 0) {
$_SESSION["authenticatedUser"] = $username;
// Relocate to the logged-in page
header("Location: ./login/loggedOn.php");
}
else
// login failed redirect back to login page with error message
{
$_SESSION["message"] = "Could not connect as $username " ;
header("Location: login.php");
}
?>
And here is my connection.php file just incase anyone wants to see:
<?php
//*** "die()" will exit the script and show an error if something goes wrong with the "connect" or "select" functions.
//*** A "mysql_connect()" error usually means your connection specific details are wrong
//*** A "mysql_select_db()" error usually means the database does not exist.
// Place db host name. Usually is "localhost" but sometimes a more direct string is needed
$db_host = "localhost";
// Place the username for the MySQL database here
$db_username = "root";
// Place the password for the MySQL database here
$db_pass = "";
// Place the name for the MySQL database here
$db_name = "UFPProducts";
$connect = mysql_connect("$db_host","$db_username","$db_pass") or die(mysql_error());
mysql_select_db("$db_name") or die("there is no database with that name");
// echo "<center>You are successfully connected to the Under5Pounds database.</center><br>";
?>
I'm not getting any error messages right now, it just doesn't do anything once I type in the username + password and click login.
try this code in loginProcess.php
$username=$_POST['username'];
$password=$_POST['password'];
I think you should remove
ob_start();
from the first line of loginProcess.php file, it has nothing to do there (unless tell me the good reason) and it blocks data to be sent to the browser
I have the following code. Now when I press the login button nothing happens and the username and password are cleared.
<?php
session_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="csduc"; // Database name
$tbl_name="students"; // Table name
// Connect to server and select databse.
$connect=mysql_connect("$host", "$username", "$password") or die("cannot connect");
mysql_select_db("$db_name") or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['username'];
$mypassword=$_POST['password'];
// To protect MySQL injection (more detail about MySQL injection).
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql,$connect);
$row=mysql_fetch_array($result);
// Mysql_num_row is counting table row.
//$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row.
if($row)
{
// Register $myusername, $mypassword and redirect to file "login_success.php".
session_register("myusername");
session_register("mypassword");
header("location: main.php");
}
else
{
echo "Wrong Username or Password";
}
?>
How can I solve this?
The correct name for the header is "Location" (with a capital 'L'). This may or may not matter. Also, technically, the Location header requires an absolute URL (eg. "http://example.com/main.php") -- some browsers will accept a relative url, but the spec requires the absolute url. Again, this may or may not be causing your problem.
So, to be more "technically correct" your redirect could be changed to something like this:
$host = $_SERVER['HTTP_HOST'];
$uri = rtrim(dirname($_SERVER['PHP_SELF']), '/');
header("Location: http://$host$uri/main.php");
check out the php documentation page for the header() function for more details.
Your form tag has a problem.
It needs to be as follows:
<form method="POST" action="">
Assuming action is the same page as the code above. Otherwise point the action to the page that has the code in it. Make sure the code is at the very top of the page, otherwise session start and header won't work
For testing use
echo $myusername=$_POST['username'];
echo $mypassword=$_POST['password'];
exit;
and use sql as because password may be encoded
$sql="SELECT * FROM $tbl_name WHERE username='$myusername'";
$result=mysql_query($sql,$connect);
$row=mysql_fetch_array($result);
First off I want to start off saying that I don't know anything about PHP so I would appreciate all the help I can get.
So I have a website hosted on godaddy where I upload files for my clients. With the help of a friend I made a simple login system with usernames and passwords. The problem is that although the websites can't be accessed without inputting the username and password, the files suchs as .jpg can be accessed by directly inputting the full link in the browser. I want it to be so that the only way the files are accessed through the user webpage. Also I want each user to be able to access only their own files and not the others. So here is my code and if there are any additional changes that need to be made to avoid hacking I will greatly appreciate the input.
index.php file code for the form that is being used to input username and password:
<form name="form1" method="post" action="checklogin.php">
<div class="lefts">
<p>Login:</p>
<p>Password:</p>
</div>
<div>
<input name="myusername" type="text" id="myusername" />
<input name="mypassword" type="password" id="mypassword" />
</div>
<div><input type="image" name="Submit" id="submit" value="Login" src="images/submitOff.png" /></div>
</form>
checklogin.php: (if correct username and password is entered, it goes to the username webpage. if not it goes to the wrong username or password webpage
<?php
ob_start();
session_start();
$host="hostname"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="dbnamey"; // Database name
$tbl_name="tablename"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT username FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
//returns false if no results returned
$row = mysql_fetch_row($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($row){
// Register $myusername, $mypassword and redirect to file
$_SESSION["myusername"] = $myusername;
$_SESSION["mypassword"] = $mypassword;
$myPage = $myusername.".php";
$_SESSION["myPage"] = $myPage;
header("location:".$myPage);
}
else {
header("location:index2.php");
}
ob_end_flush();
?>
username1.php: (webapge for user that contains files)
<?
session_start();
if(
//!session_is_registered(myusername)
!isset($_SESSION["myusername"]) ||
$_SESSION["myPage"] != basename($_SERVER['REQUEST_URI'])
){
header("location:index.php");
}
?>
<html>
//content that consist of links to the files
Png 1
</html>
The security of this script is very bad. You aren't hashing passwords. The header() allows you to add an element to the HTTP response header. THE SCRIPT STILL EXECUTES., you are not preventing access to anything. Furhter more, mysql_real_escape_string() does everything that addslashes() does and more. Doing both just tells people that you don't know what either of them does. You must start using parametrized quires with ADODB or the PDO libraries.
Use an .htaccess file to prevent accesss
Order deny, allow
Deny from all
Allow from localhost